Between 2009 and 2013 a group of 20 international law experts labored to produce the Tallinn Manual on the International Law Applicable to Cyber Warfare. The manual was a response to claims that cyberspace was a legal void during armed conflict. The experts, consisting of both practitioners and distinguished international law scholars, unanimously concluded that the existing norms of international law applied fully in cyberspace, although in certain circumstances the nature of cyberspace might require a degree of interpretation to fit the cyber context. Although States were initially hesitant to embrace the project, the Tallinn Manual has been widely accepted as a generally accurate restatement of the international law governing cyber operations during an armed conflict or a hostile exchange between States.

A number of issues that were addressed in the Manual continue to be characterized as unsettled in non-legal communities. This tendency is skewing the debate over cyber operations. Prominent among these is confusion regarding law surrounding governing responses to cyber attacks. All of the experts involved in the project agreed that it was legally permissible to respond to cyber attacks by kinetic means, and vice versa. The question is not so much the nature of an attack, but its intensity. Forceful responses, whether kinetic or cyber in nature, are only lawful in response to a cyber attack rising to the level of an “armed attack”, as that term appears in Article 51 of the UN Charter. Forceful cyber or kinetic responses to cyber attacks falling below that threshold are only permissible with UN Security Council authorization. Absent that authorization, States may only respond consistent with the law of “countermeasures”, which does not permit the use of cyber or kinetic actions.

Another common misconception is that it is unlawful for civilians to engage in cyber operations during an armed conflict. In fact, international law contains no such prohibition. However, civilians who “directly participate in the hostilities” lose their protection from attack for such time as they are so participating. Thus, the enemy may attack civilians (such as individual hacktivists, government contractors, or member of the intelligence services) if they engage in hostile cyber operations. Additionally, unlike members of the Armed Forces, civilians who directly participate in hostile cyber operations may be prosecuted by another State for violations of its domestic law. In other words, they do not enjoy the “belligerent immunity” for combat activities that are lawful for soldiers. As an example, if a civilian conducts a cyber operation that results in the death of a member of the enemy’s armed forces, the enemy State could later prosecute for murder under its domestic law. But the point remains that civilians are not prohibited from conducting cyber operations by international law and there is no international law prohibition on States turning to them for such operations.

Finally, misunderstanding exists with respect to directing cyber operations against the civilian population during an armed conflict. In fact, international law only prohibits “attacking” civilians. There is an ongoing debate in the international law community over the meaning of “attack” in the cyber context. However, general consensus has been achieved that not every operation in cyberspace intended to affect or influence a civilian population is unlawful. In particular, cyber operations that merely inconvenience or irritate the civilian population, as in interfering temporarily with the connectivity of nonessential systems or conducting psychological campaigns employing the Internet, are lawful. There is, on the other hand, also complete agreement that any operation against civilians or civilian property that causes injury or physical damage qualifies as an “attack” and would therefore be unlawful.

The Tallinn Manual only addresses hostile cyber operations that implicate the UN Charter’s provisions on the use of force or that occur during an ongoing armed conflict. The NATO Cooperative Cyber Defence Centre of Excellence, sponsor of the Tallinn Manual project, has launched a follow-on three-year project (Tallinn 2.0) to examine malicious cyber operations at lower levels of intensity.

Michael N. Schmitt is Stockton Professor of Law at the Naval War College, Professor of Law at Exeter University, and Senior Fellow at the NATO CCD COE. He directed the Tallinn Manual project. The comments are in his personal capacity.

Very interesting. Professor Schmitt notes: “However, civilians who “directly participate in the hostilities” lose their protection from attack for such time as they are so participating. Thus, the enemy may attack civilians (such as individual hacktivists, government contractors, or member of the intelligence services) if they engage in hostile cyber operations.” I don’t think that a number of people who engage in hacktivism at the express or implicit direction of a government against another country’s systems think of themselves as combatants or think that they might be sanctioned for such action as if they were soldiers. Are there any cases yet where a country’s military has attempted to carry out reprisals against hackers in other countries, or is this still handled as a law enforcement matter?

It is not clear whom Professor Schmitt is criticizing in his remarks above, but his title suggests the the members of the “non-legal communities” who are “skewing” the cyber debate are ethicists and moral philosophers, of which I am one, and of whom he otherwise made his views quite clear in Rome in November, 2013. Of the two principal issues he raises, however, I do not differ in the slightest, and am unaware (absent a specific citation) of who in the ethics community has raised these admittedly-misplaced concerns.

Schmitt is certain correct to counter that States have always had the right to solicit citizen militias and other volunteers in their defense, who then lose their generic status as non-combatants. And Schmitt is likewise on point in warning that, absent proper conscription as combatants, such civilians (unlike legitimate combatants) might be subject to legal reprisal for their activities carried out within the domestic jurisdiction of other states, in addition to counter-attack by their adversaries in “war” (if that is what it is).

As to cyber weapons and strategies that target civilians: it was not an “ethicist,” but an eminent computer scientist and cyber weapons designer who first raised this concern. And it was wholly in the proper context that Schmitt acknowledges, regarding solely attacks that might do genuine physical harm to civilians and vital civilian infrastructure, and not at all merely “virtual vandalism” or public nuisance attacks.

So, where is the “skewing” by these “non-specialists?” This seems something of a straw man argument, at least without specific citations to authors, or examples of public figures who might rightly be criticized for promulgating mistaken views. There is a great deal of misinformation, including by experts, taking place in the cyber domain!

Otherwise, given the extraordinary care and thoughtful scholarship that went into the Tallinn Manual, I would have hoped for what Schmitt characterizes as its “widespread acceptance” in the international community. Sadly, as I learned recently to my great surprise, there is not a soul in Geneva, including the most ardent supporters of the Tallinn process and its results, who would endorse Schmitt’s characterization of its status. In particular, China, the Russian Federation, the North Koreans (not surprisingly), and a host of other national stakeholders in the discussion have disavowed the Tallinn Manual explicitly as “NATO-centric,” while the U.N. has made no move toward its endorsement.

Apparently this is not because of any genuine flaws in the sound scholarly interpretations of extant law offered therein, but from the fact that Professor Schmitt seems to take as dim a view of these other stakeholders’ interests and participation as he does that of representatives of the “non-legal communities.” That seems to me an unfortunate, if not tragic, political blunder.

2) My actual concern was that the Tallinn Manual’s findings have been misinterpreted in the non-legal debates. Such misinterpretations have a way of taking on a life of their own. For instance, on targeting hackers, we only addressed situations in which there was an armed conflict (war, in the classic sense) underway. However, discussion of the Manual often missed this determinative point. In fact, we did not address peacetime situations, although a project, Tallinn 2.0, is underway to do so. Misinterpretation of the Manual’s findings in this way could, obviously, have negative unintended consequences.

3) The Manual is used by government legal advisers, our key stakeholders, in virtually every capital of the world dealing with cyber issues. The follow-on process involves representatives from the very countries cited, except…North Korea. However, the real success of the Manual is that it has drawn attention to the fact that the cyber realm is subject to a rather robust body of international law and sparked debate as to its precise interpretation. Therefore, this reply to my post is most welcome as a contribution to that dynamic.

4) As to the non-legal communities, my views are well-known. Lawyers are not decision-makers. We are advisers, not unlike ethicists. All we were trying to do with the Tallinn Manual was lay out the legal boundaries of cyber operations to permit States to make better informed policy decisions. So, rather than taking a dim view of the non-legal community, my position is, and has always been, that lawyers exist to serve it.